NSA knew about Heartbleed for two years - Bloomberg

The critical “Heartbleed” bug reported earlier this week to have affected the security of most of the internet was discovered by researchers at the United States National Security Agency two years earlier, according to a new report.

On Friday afternoon, Bloomberg News journalist Michael Riley
reported that the NSA knew about the
monstrous flaw for at least two years ahead of this week’s
announcement, but kept it hidden from technologists and instead
exploited it to hack the computers and correspondence of certain
intelligence targets.

Earlier in the week, the open-source OpenSSL internet security
project issued an emergency advisory after discovery of the
Heartbleed bug revealed a weakness that may have for years
allowed hackers to access online information otherwise thought to
be protected by the SSL/TLS encryption standard used by around
two-thirds of the web.

But according to sources that Riley says are familiar with the
matter, the NSA kept details of the bug a secret shortly after
first discovering it in early 2012 so that it could be added to
the agency’s toolbox of exploits and hacks.

“The agency found the Heartbeat glitch shortly after its
introduction, according to one of the people familiar with the
matter, and it became a basic part of the agency’s toolkit for
stealing account passwords and other common tasks,” Riley
wrote.

“Putting the Heartbleed bug in its arsenal, the NSA was able
to obtain passwords and other basic data that are the building
blocks of the sophisticated hacking operations at the core of its
mission, but at a cost,” he added. “Millions of ordinary
users were left vulnerable to attack from other nations’
intelligence arms and criminal hackers.”

Shortly after Bloomberg published their report, agency
spokeswoman Vanee Vines told the National Journal that the NSA "was not aware
of the recently identified vulnerability in OpenSSL, the
so-called Heartbleed vulnerability, until it was made public in a
private-sector cybersecurity report."

In December, a five-person review group handpicked by US
President Barack Obama to reassess the NSA’s intelligence
gathering abilities said that the government must not stockpile
details about any so-called “zero day” vulnerabilities, or flaws
unknown to computer programs who have thus had “zero days” to
patch them.

“In almost all instances, for widely used code, it is in the
national interest to eliminate software vulnerabilities rather
than to use them for US intelligence collection,” the group
told the president. “Eliminating the vulnerabilities —
“patching” them — strengthens the security of US Government,
critical infrastructure, and other computer systems.”

“We recommend that, when an urgent and significant national
security priority can be addressed by the use of a Zero Day, an
agency of the US Government may be authorized to use temporarily
a Zero Day instead of immediately fixing the underlying
vulnerability.”

Pres. Obama has since asked Congress to adhere to one of that
group’s recommendations — halting the government’s bulk
collection of telephony metadata — but has not publically spoken
of zero days before or after this week’s discovery of Heartbleed.

Previously, however, journalists and privacy advocates working
with the trove of classified NSA documents disclosed last year by
former contractor Edward Snowden said that the secretive
intelligence agency had been undermining the very security of the
internet by exploiting other flaws to hack targets.

At a security conference in December, expert Jacob Appelbaum from
Germany’s Der Spiegel magazine said that the NSA had acquired the
means to compromise any Apple iPhone in the world and
occasionally relied on a number of high-tech tools and implants
to hack targets.

“Basically the NSA, they want to be able to spy on you. And
if they have ten different options for spying on you that you
know about, they have 13 ways of doing it and they do all 13. So
that’s a pretty scary thing,”said Appelbaum, who previously
spoke on behalf of WikiLeaks at a US conference and is a core
member of the Tor anonymity project.

And since June, NSA leaks disclosed by Mr. Snowden have shown
that the NSA has done everything from physically tapping into
fiber optic undersea internet cables to get further access to the
world’s communications, to tricking the systems administrators of
private companies into installing malware that would open up
their machines to American spies.